error reporting and security

Forum Moderators: coopster

Message Too Old, No Replies

error reporting and security

to remove or not to remove

punisa

3:09 pm on Apr 23, 2009 (gmt 0)

Hello everyone,
across my whole site I call data from my database like so:


$sql = "SELECT title FROM comments WHERE name='johndoe' LIMIT 1";
$result = mysql_query($sql, $conn)
or die('Could not get data; ' . mysql_error());
if (mysql_num_rows($result) == 0) {
} else {
while ($row = mysql_fetch_array($result)) {
...OUTPUT DATA
}
}

As I heard before this part is potentially dangerous:


or die('Could not get data; ' . mysql_error());

Should I just remove that part across my whole site once I'm done editing it?

lobo235

3:51 pm on Apr 23, 2009 (gmt 0)

I would suggest writing a function that will email the error and query to yourself and then spit out a generic error message to the user like "There was a critical error encountered while performing your request. The webmaster has been notified of the problem. Please try reloading the page or try your request at a later time."


function emailError( $query, $error )
{
 $time = date( 'Y-m-d H:i:s' );
 $msg .= "\n<br />\n<b>Page:</b> ".$_SERVER["REQUEST_URI"];
 $msg .= "\n<br />\n<b>Time:</b> ".$time;
 $msg .= "\n<br />\n<b>Query:</b> ".$query;
 $msg .= "\n<br />\n<b>Error:</b> ".$error;
 $headers = "Content-type: text/html; charset=iso-8859-1\n";
 $headers .= "From: sqlerrors@example.com";
 mail( 'email@example.com', $subject, $msg, $headers);
 return "<h3>There was a critical error encountered while performing your request. The webmaster has been notified of the problem. Please try reloading the page or try your request at a later time.</h3>";
}

Then just call it like this:


mysql_query($sql, $conn) or die(emailError($sql, mysql_error()));

punisa

4:04 pm on Apr 23, 2009 (gmt 0)

That's a very good idea, thank you :)

eeek

11:27 pm on Apr 23, 2009 (gmt 0)

Include a backtrace in the email as well.